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Abstract. We present an abstract framework for concurrent processes in which 
atomic steps have generic side effects, handled according to the principle of 
monadic encapsulation of effects. Processes in this framework are potentially in- 
finite resumptions, modelled using final coalgebras over the monadic base. As 
a calculus for such processes, we introduce a concurrent extension of Moggi's 
monadic metalanguage of effects. We establish soundness and completeness of a 
natural equational axiomatisation of this calculus. Moreover, we identify a core- 
cursion scheme that is explicitly definable over the base language and provides 
flexible expressive means for the definition of new operators on processes, such 
as parallel composition. As a worked example, we prove the safety of a generic 
mutual exclusion scheme using a verification logic built on top of the equational 
calculus. 



1 Introduction 

Imperative programming languages work with many different side effects, such as I/O, 
state, exceptions, and others, which all moreover come with strong degrees of vari- 
ations in detail. This variety is unified by the principle of monadic encapsulation of 
side-effects [21], which not only underlies extensive work in semantics (e.g. [17]) but, 
following [35], forms the basis for the treatment of side-effects in functional languages 
such as Haskell [25] and F# [31]. Monads do offer support for concurrent program- 
ming, in particular through variants of the resumption monad transformer [4, 13], which 
lifts resumptions in the style of Hennessy and Plotkin [15] to the monadic level, and 
which has moreover been used in information flow security [14], semantics of func- 
tional logic programming languages such as Curry [33], modelling underspecification 
of compilers, e.g. for ANSI C [23, 24], and to model the semantic of the 7r-calculus [10]. 
However, the formal basis for concurrent functional-imperative programming is not as 
well-developed as for the sequential case; in particular, Moggi's original computational 
meta-language is essentially limited to linear sequential monadic programs, and does 
not offer native support for concurrency. 

The objective of the present work is to develop an extension of the compu- 
tational meta-language that can serve as a minimal common basis for concurrent 
functional-imperative programming and semantics. We define an abstract meta-calculus 
for monadic processes that is based on the resumption monad transformer, and hence 
generic over the base effects inherent in individual process steps. We work with infi- 
nite resumptions, which brings tools from coalgebra into play, in particular corecursion 



and coinduction [28]. We present a complete equational axiomatization of our calculus 
which includes a simple loop construct (in coalgebraic terms, coiteration) and then de- 
rive a powerful corecursion schema that allows defining processes by systems of equa- 
tions. It has a fully syntactic justification, i.e. one can explicitly construct a solution 
to a corecursive equation system by means of the basic term language. Although there 
are strong corecursion results available in the literature (e.g. [1, 34, 19]), our corecur- 
sion schema does not seem to be covered by these, in particular as it permits prefixing 
corecursive calls with monadic sequential composition. 

We exemplify our corecursion scheme with the definition of a number of basic im- 
perative programming and process-algebraic primitives including parallel composition, 
and present a worked example, in which we outline a safety proof for a monadic version 
of Dekker's mutual exclusion algorithm, i.e. a concurrent algorithm with generic side- 
effects. To this end, we employ a more high-level verification logic that we develop on 
top of the basic equational calculus. 

Further related work There is extensive work on axiomatic perspectives on effectful 
iteration and recursion, including traced pre-monoidal categories [2], complete iterative 
algebras [19], Kleene monads [11], and recursive monadic binding [8]. The abstract 
notion of resumption goes back at least to [15]. (Weakly) final coalgebras of I/O-trees 
have been considered in the context of dependent type theory for functional program- 
ming, without, however, following a fully parametrised monadic approach as pursued 
here [12]. A framework where infinite resumptions of a somewhat different type than 
considered here form the morphisms of a category of processes, which is thus enriched 
over coalgebras for a certain functor, is studied in [ 18], but no metalanguage is provided 
for such processes. A metalanguage that essentially adds least fixed points, i.e. induc- 
tive data types as opposed to coinductive process types as used in the present work, 
to Moggi's base language is studied in [9]; reasoning principles in this framework are 
necessarily of a rather different flavour. A resumption monad without a base effect, the 
delay monad, is studied in [3] with a view to capturing general recursion. Our variant of 
the resumption monad transformer belongs to the class of parametrized monads intro- 
duced in [34], where a form of corecursive scheme is established which however does 
not seem to cover the one introduced here. 

2 Computational Monads and Resumptions 

We briefly recall the basic concepts of the monadic representation of side-effects, and 
then present the specific semantic framework required for the present work. Intuitively, 
a monad T (mostly referred to just as T) associates to each type A a type TA of com- 
putations with results in A; a function with side effects that takes inputs of type A and 
returns values of type B is, then, just a function of type A — > TB. In other words, by 
means of a monad we can abstract from notions of computation by switching from non- 
pure functions to pure ones with a converted type profile. One of the equivalent ways 
to define a monad over a category C is by giving a Kleisli triple T = (T, 77, _*) where 
T : Ob C — > Ob C is a function, 77 is a family of morphisms r\A ■ A —> TA called unit, 
and _* assigns to each morphism / : A —> TB a morphism /* : TA — > TB such that 
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rf A = id-TA, f* °VA — f, an d 9* ° /* = (.9* /)*■ Thus, r]A converts values of 
type A into side-effect free computations, and _* supports the sequential composition 
g*f of programs / : A — > TB and g : B — !> TC. A monad over a Cartesian category 
is strong if it is equipped with a natural transformation ta,b '■ A x TB — > T(A x £?) 
called strength, subject to certain coherence conditions [21]. Since we are interested in 
concurrency, we require additional structure for non-determinism: 

Definition 1 (Strong semi-additive monads). A strong monad T = (T, ??,_*, r) is 
semi-additive if there exist natural transformations S : 1 —> T and w : T x T —> T 
making every TA an internal bounded join-semilattice object so that _* and t respect 
the join-semilattice structure in the following sense: 



The above definition forces the nondeterministic choice to be an algebraic operation in 
sense of [26]. This implies that the semilattice structure distributes over binding from 
the left (but not necessarily from the right) as reflected in our calculus in Section 3. 

Remark 2. As in the original computational metalanguage [21], we work over an arbi- 
trary base category C, with Set and wCpo as prominent instances, thus establishing 
our corecursion scheme at a high level of generality. Our calculus will be sound and 
complete w.r.t. the whole class of possible instances of C. Restricting, e.g., to order- 
theoretic models will, of course, preserve soundness, while completeness may break 
down due to particular properties of the base category becoming observable in the cal- 
culus. The FIX-logic of Crole and Pitts [6] is sound and complete w.r.t. certain order- 
theoretic models compatible with our models, in particular with Set. 

Example 3. [21] The core examples of strong semi-additive monads are the finite pow- 
erset monad V u , or, in the domain-theoretic setting, various powerdomain construc- 
tions. Moreover, the powerset monad V and more generally, the quantale monad [16] 
XX.Q X for a quantale [27] Q are strong semi-additive monads. Further examples of 
semi-additive monads can be obtained from basic ones by combining them with other 
effects, e.g. by adding probabilistic choice [32] or by applying suitable monad trans- 
formers. In particular, the following monad transformers (which produce a new monad 
Q, given a monad T) preserve semi-additivity over any base category with sufficient 
structure: 

1. Exceptions: QA = T(A + E), 3. I/O: QA = fiX. T(A + I (X x O)), 

2. States: QA = S -> T(A x S), 4. Continuations: QA = (A -> TK) — » TK. 

E.g., the non-deterministic state monad TX = S — > P(S x X), is a strong semi- 
additive monad both over Set (with P denoting any variant of powerset) and over any 
reasonable category of domains (with P denoting a powerdomain construction with 
deadlock). 

To model processes which are composed of atomic steps to be thought of as pieces of 
imperative code with generic side-effects, we use a variant of the resumption monad 



f*S = 5, 
r(f x6)=6, 



t(/ x w) = w{r{f X 7Tl), t(/ X 7T 2 )). 
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transformer [4]: Assuming that for every X S Ob (C) the endofunctor T(Id + X) : 
C — > C possesses a final coalgebra, which we denote by uj. T(j + X), we define a 
new monad R by 

RX = v-y. T( 7 + X) 

— R exists, e.g., if the base category is locally presentable and T is accessible [36], a ba- 
sic example being TX = S — > P(S x X) where P is finite powerset or a powerdomain. 
Intuitively, a resumption, i.e. a computation in RX, takes an atomic step in T and then 
returns either a value in X or a further computation in RX, possibly continuing in this 
way indefinitely. Using a final coalgebra semantics amounts to identifying processes up 
to coalgebraic behavioural equivalence, which generalizes strong bisimilarity. 

3 A Calculus for Side-effecting Processes 

As originally observed by Moggi [21], strong monads support a computational meta- 
language, i.e. essentially a generic sequential imperative programming language. Here 
we introduce a concurrent version of the metalanguage, the concurrent metalanguage, 
based semantically on the resumption monad transformer. 

The concurrent metalanguage is parametrised over a countable signature £ includ- 
ing a set of atomic types W, from which the type system is generated by the grammar 

P ::= W | 1 | P x P | P + P | TP \ T V P 

— that is, we support sums and products, but not functional types, our main target 
being the common imperative programming basis, which does not include functional 
abstraction. Base effects are represented by T, and resumptions by T v . 

Moreover, S includes function symbols / : A — > B with given profiles, where A 
and B are types. The terms of the language, also referred to as programs, and their types 
are then determined by the rules shown in Fig. 1; the dotted line separates operators 
for sequential non-determinism from the process operators . Besides the standard term 
language for sums and products and the bind and return operators do and ret of the 
computational metalanguage, the concurrent metalanguage includes operations and 
+ are called deadlock and choice, respectively, as well as two specific constructs {out 
and unfold) for resumptions, explained later. Judgements r\>t : A read 'term t has type 
A in context J", where a context is a list r = [x\ : A\, . . . ,x n : A n ) of typed variables. 
Programs whose type is of the form T V A are called processes. The notions of free and 
bound variables are defined in a standard way, as well as a notion of capture-avoiding 
substitution. 

The semantics of the concurrent metalanguage is defined over ME„-models, re- 
ferred to just as models below. A model is based on a distributive category [5] C, 
i.e. a category with binary sums and finite products such that the canonical map 
Ax B + Ax C —> Ax (B + C) is an isomorphism, with inverse dist : Ax(B + C) — > 
A x B + A x C (this holds, e.g., when C is Cartesian closed). Moreover, it specifies 
a strong semi-additive monad T on C such that for every A G Ob (C) the functor 
T(Id + A) possesses a final coalgebra denoted RA = vj. T(j + A), thus defining a 
functor R (resumptions). 
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x: Aer f:A^B€E T > t : A 

(var) rF^4 (app) r>f(t):B (1) i T FTTT 

, . rt>t:A rr>u:B „ s rr>t:AxB T > t : A X S 

(pair) P>(t, u ):Axi? (fSt) r>fctt:A (Md) r>sn6t:B 

r>s:A + B r.x : A>t : C r,y:B\>u:C 
(case) j-r- : — (nil) 



r > case s of inl x i-t t; inr y i-» u : C T > : 

.. ,, r>t : yi „ 4 r>t-.B /x rotiA 

(inl) — — — — (inr) — — : — (ret) 



r>inlt: A + B r>mrt:A + B T>rett:TA 

., . r > p : TA r,x : A\> q:TB / , , T t> p + q : TA 

( d °) F— T— Z—TF^ (P |US > 



r > do x «- p- q : TB r T > p : TA T > q : TA 

(out) r>p:T„A r>p:A T, x : A O q : T(A + B) 

T > out(p) : T(T„ A + A) r t> init x := p unfold {g} : T V B 



Fig. 1. Typing rules for the concurrent metalanguage 



A model interprets base types as objects of C. The interpretation \A\ of types A is 
then defined by standard clauses for l,AxB, and A + B and {TA} =T{A}, \T V A\ = 
R\A\. For r = (x-l : Ai,...,x n : A n ) we put [P] = [-AJ x • • ■ x [A„]. Moreover, a 
model interprets function symbols / : A — > B as morphisms J/J : \A\ — > [£?]], which 
induces an interpretation [t] : |P] — >■ JA] of programs r \> t : A given by the usual 
clauses for variables, function application, pairing, projections, injections, and *. The 
operations + and are interpreted by the bounded join semilattice operations w and 5 
of T, respectively. For the monad operations and the case operator, we have 

- [P > case s of inl x >-> t; inrj/n-u:C] = 

[[/> : A>i : C],[P,y : B>u : Cj] o c/isi o (id, [P > s : A + £?]), 

- [P > do a; <- p; g : T5J = [P, a: : A > q : PS] O r [r j, M o (id, [P > p : TA}), 

- [P O ret i : TAJ = ? M o [P > t : A], 

where as usual {/, .g) : A — > B x C denotes pairing of morphisms / : A —> B, 
g : A^ C, and [/, g] : A + B ->• C denotes copairing of / : A -> C and g : B ->• C. 

It remains to interpret out, which is just the final coalgebra structure of RA, and 
the loop construct init a; := p unfold {q} which captures coiteration. Formally, let a A : 
RA — ► T(RA + A) be the final coalgebra structure, and for a coalgebra / : X — > 
T{X + A), let Ff ■ X —> RA be the unique coalgebra morphism. Then we put 

\T > out(p) : T{T V A + A)} = a m o [P > p : T V A\ 
[P > init a; := p unfold {q} : T V B\ = Rtt 2 o F f o (id, [P > p : A}) 
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(casejnl) case inlp of inlx i— > g; inry 4r = g[p/a;] (fst) fst(p, g) = p 

(casejnr) case inrp of inl x n> g; inry h-s> r = r[p/y] (snd) snd(p, g) = g 

(casejd) case p of inl x i— > inl x; inry i-» inr y = p (pair) (fstp, sndp) = p 

case p of inl x i-> t[g/z]; inry i-> 
(case_sub) (x, y $5 Vars(r)) 

= t[case p of inl x g; inr y i-> r/z] 

(★) p : 1 = * (uniti) do x <— p; ret a; = p (unit2) doi f- reta;p = p[a/x] 

(assoc) do x' <— (do y <— p; g); r = do x p; y <— g; r (y ^ Vars(r)) 

(nil) p + = p (comm) p + q — q + p (idem) p + p = p 

(assoc_plus) p + (g + r) — (p + g) + r (distjiil) do x •<— 0; r = 

(dist_plus) do i f- (p + g) ; r = do x -s— p; r + do x <— g; r 

out(p) = next g is restx i— >• contp; doney M> stopy 



(co-iter) 



p[y/x] = init x := y unfold {g} 



Fig. 2. Axiomatization of the concurrent metalanguage 

where/ = T(dist) or(7Ti, g) with g = [r,a; : A>g : T(A + B)]|. Thus, F/ is uniquely 
determined by the commutative diagram 

in x \A\ T(diSt) ° T(,ri 'f > T([r] x [A] + [P] x IS]) 



it 



T(F/+id) 



i?(in x is]) T(i?(irj x [B]) + [r] x 

A model is said to satisfy a well-typed equation r > t = s if [r > t : AJ = fr > s : A]. 

As suggestive abbreviations for use in process definitions, we write cont for (ret inl) 
and stop for (ret inr). Moreover, we write (nextp is restx h- > g; doney n- 7-) for 
(do zf-p; case z of inl x h-» g; inry h-> r) . We also define a converse tuo : T(T U A + 
A) -> T^A to out by 

tuo(p) = init gr := p unfold {next q is resty n> cont(out(y)); donex n> stopx}. 

An axiomatization ME^ of the concurrent metalanguage is given in Fig. 2 (where we 
omit the standard equational logic ingredients including the obvious congruence rules). 
Apart from the standard axioms for products and coproducts, M E v contains three well- 
known monad laws, axioms for semi-additivity (middle section) and a novel (bidirec- 



6 



tional) rule (co-iter) for effectful co-iteration (which in particular can be used to show 
that tuo is really inverse to out). 

Theorem 4. M E v is sound and strongly complete over M E v -models. 

A core result on the concurrent metalanguage is an expressive corecursion scheme sup- 
ported by the given simple axiomatisation. Its formulation requires n-ary coproducts 
Ax -\ h A n with coproduct injections inj™ : Aj — > A\ + . . . + A n and a correspond- 
ingly generalized case construct; all this can clearly be encoded in ME„. 

Theorem and Definition 5 (Mutual corecursion). Let fi : Ai —> T v Bi, i = 1, . . . , k 
be fresh function symbols. A guarded corecursive scheme is a system of equations 

out(/j(x)) =dozf- p t ; case z of inj" 1 x\ \-t p\; . . . ; inj"; x ni H- p 1 ^ 

for i = 1, . . . , k such that for every i, pi does not contain any fj, and for every i, j Pj 
either does not contain any f m or is of the form p* = cont f m (xj) for some m. Such a 
guarded corecursive scheme uniquely defines fi, ■ ■ ■ , fk (as morphisms in the model), 
and the solutions fi are expressible as programs in M E„. 

As a first application of guarded corecursive schemes, we define a binding operation 
doy with the same typing as do but with T replaced by T v corecursively by 

out(do„ x <— p\ q) = next out(p) is rests i-> cont(do^ x ^— p;q); done.T M> out(g). 

Similarly, we define operations ret,,, 0„, and + v as analogues of ret, 0, and + by 
putting ret„p = tuo(stopp), 0^ = tuo(0), and p+^q = tuo(out(p) + out(q)). These 
operations turn T v into a strong- semiadditive monad; formally, we can derive (in M E^) 
the top and middle sections of Fig. 2 with T replaced by T u (the monad laws already 
follow from results of [34]). 

4 Programming with Side-effecting Processes 

Above, we have begun to define operations on processes; in particular, 0„ is a dead- 
locked process, and + y is a nondeterministic choice of two processes. We next show 
how to define more complex operations, including parallel composition, by means of 
guarded corecursive schemes. 

Note that over distributive categories, one can define the type of Booleans with 
the usual structure as 2 = 1 + 1. We write (if b thenp else q) as an abbreviation for 
(case b of inl x H> p; inr x H > q) where b has type 2. 

Sequential composition Although T v is a monad, its binding operator is not quite 
what one would want as sequential composition of processes, as it merges the last step 
of the first process with the first step of the second process. We can, however, capture 
sequential composition (with the same typing) in the intended way by putting 

seq x <— p;q = do u x <— p; tuo(cont q) . 
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Branching Using the effect-free if operator defined earlier, we can define a conditional 
branching operator for processes p, q : T V A and a condition b : T2 by 

if„ b then p else q = tuo(do z <S— b; if z then (contp) else (cont g)) . 

Looping For terms r > p; r, x : A > b : T2; and r, x : A \> q : T U A, we define loops 

r > init x := p while b do g : T^A and J 1 > init x := p do g until b : T V A 

as follows. We generalize the until loop to a program U\ q (r) for _T > r : T„A intended 
to represent seq y r;initx := y while b do g (so that (init x := p do q until 6) = 
{/* ? (g[p/x])) and abbreviate (p) = (initx := p while 6 do g). We then define the 
four functions g and ?7* (for b : 2) by the guarded corecursive scheme 

out(Wj„(p)) = do v <— 6[p/x]; if v then cont(J7^g(g[p/a;])) else stop(p), 
out([/k 9 ( r )) = next out(r) is restz h-> cont(£/^ 9 (z)); doney i-> cont(W / 2 7^(y)). 

Exceptions As the concurrent metalanguage includes coproducts, the exception monad 
transformer(T B y4 = T(A + E)) [4] and the corresponding operations for raising and 
handling exceptions are directly expressible in ME^. 

Interleaving We introduce process interleaving || : T V A x T V B — > T U {A x B) by a 
CCS-style expansion law [20] (using an auxiliary left merge [[) 

out(p||g) = out(p[[g) + do(x,y) <- out(g |]_p); ret(j/,x), 
out(p [[g) = next out(p) is restr i— > cont(r || g); 

done x i-> cont(do„ y <S— g; ret„(x, j/)). 

This is easily seen to be equivalent to the guarded corecursive scheme 

out(p || q) = do u <- (p[q+p\ q); 

case u of inl(s, t) M> cont(s || t); inr r i-t cont r 

where forp : T V A, q : T V B, p[q: T(T„A x T V B + T V {A x B)) is defined as 

p [ q = next out(p) is rest r M> ret inl(r, q); donex H> ret inr(do^ y <s— g; ret !/ (x, y)) 

and p J g : T(T V A x T„B +T„(ylxB)) is the evident dual of p [ q. 

5 Verification and Process Invariants 

We now explore the potential of our formalism as a verification framework, extending 
existing monad-based program logics [29, 30] to concurrent processes. A cornerstone 
of these frameworks is a notion of pure program: 

Definition 6 (Pure programs). A program p : TA is pure if 
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- p is discardable, i.e., do y <— p; ret* = ret*; 

- p is copyable, i.e. do x <— p: y ^— p; ret(x, y) = do :i f- p; ret(x, x); and 

- p commutes with any other discardable and copyable program q, i.e. 

(do x <— p; y <— g; ret(x, y)) = do y <!— q; a; p; ret (a;, y). 

Intuitively, pure programs are those that can access internal data behind the computation 
but cannot affect it. A typical example of a pure program is a getter method. As shown 
in [29], pure programs form a submonad P of T. A test is a program of type P2. All 
logical connectives extend to tests; e.g. —b = (do x ^— b: ret -ix) for b : P2. 

Given a program p : TA and tests <fi, ip : P2, the program filter(p, cp, ip) : TA is 
defined by the equation 

filter(p, <p, ip) = do x <— (p; y <— p; z <— ip; if (x => z) then ret y else 0. 

Intuitively, filter modifies the given program p by removing those threads that satisfy 
the precondition <p but fail the postcondition ip. This enables us to encode a Hoare triple 
(alternatively to [29, 30]) by the equivalence 

{<f>}p{i/>} filter(p, <£, V>) = p 

— i.e. the Hoare triple {0}p{V'} is satisfied iff filter(p, 0, ip) does not remove any exe- 
cution paths from p. On the other hand, filter extends to processes as follows: 

filter„(p, 0, ip) = initz := p unfold {tuo(filter(out(z), (f> 7 ip))}. 

It turns out that the above definition of Hoare triple is equivalent to the one from [29, 30] , 
which in particular enables use of the sequential monad-based Hoare calculus of [30]: 

Lemma 7. For every program p and tests <p>, ip, {<p}p{ip} is equivalent to the equation 

do x <— <p; y <— p; z <— ip; ret(x, y, z, x =>■ z) = 
do x <— <p; y <!— p; z ip; ret(x, y, z, T). 

A test <p is an invariant of process p if V\\ter v (p, <p, <p) — p. We use inv(p, (p) as a 
shorthand for this equality. Given a process p : T V A, we define partial execution of p 
by 

exec(p) = tuo(next p is rest a; i-> out(x); donex i-> stopx). 

For every p, exec(p) is precisely the program obtained by collapsing the first and the 
second steps of p into one. We denote by exec"(p) the n-fold application of exec to p. 
This allows us to formalize satisfaction of a safety property <p by a process p: 

'p is safe w.r.t. ip at <p' iff for every n, {</>} exec™ (p) {?/>}. 

Note, however, that this definition is not directly expressible in our logic, because it in- 
volves quantification over the naturals. Often this problem can be overcome by picking 
out a suitable process invariant. 

Lemma 8. Let <p, ip, and £ be tests such that (p £ and £ => ip, and let p be a process. 
Then inv(p, £) implies {</>} exec™ (p){ip} for every n. 
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6 Worked Example: Dekker's Mutual Exclusion Algorithm 



We illustrate the use of our calculus by encoding Dekker's mutual exclusion algorithm. 
This algorithm was originally presented as an Algol program, and hence presumes some 
fixed imperative semantics, while we present (and verify) a version with generic side- 
effects. We introduce the following signature symbols: 

sct_flag : 2 x 2 Tl, set.turn : 2 Tl, 

get Jlag : 2 ->• P2, turn_is : 2 -> P2, 

which can be roughly understood as interface functions accessing variables 
f lagl, f lag2 and turn. This is justified by a suitable equational axiomatization 
of the above operators, which includes the following axioms (we assume i ^ j): 

do set_fl.ag(i, b); getJlag(i) = do set_flag(i, b); ret b 
do set _flag(i, b); set_flag(j, c) = do set_flag(j, c); set_flag(i, b) 
do set_flag(i, b); set_flag(i, c) = set_flag(i, c) 

do set_turn(6); turn_is(c) = do set_turn(6); ret(6 •<=>• c) 
do sct_turn(6); set_turn(c) = set_turn(c). 

(Obvious further axioms are omitted.) The crucial part of Dekker's algorithm is a 
(sub)program implementing busy waiting. In our case this is captured by the function 
busyjwait : 2 —> Tl defined as follows: 

busyjwait(i) = while gct_flag(flip(i)) do if^ turn_is(flip(i)) 

then seq [sct_flag(i, _L)]; await(turn_is(i)) 
else [set_flag(i, T)] 

Here, we used the following shorthands: [p] = tuo(stopp) denotes the one-step process 
defined by p : TA, flip : 2 — ^ 2 is the function swapping the coproduct components of 
2 = 1 + 1; (while b do q) encodes (init x <— * while b do q); finally, (await 6) with b of 
type T2, intuitively meaning 'wait until 6', is defined by the equation: 

await b = while -i&do ret„*. 

Finally, we define a generic process accessing the critical section: 

proc(i,p) = seq [sct_flag(i, T)]; busy_wait(i); 

[in_cs(i)];p; [out_cs(i)]; 
[set_turn(flip(i))]; [set_flag(i, _L)]. 

Here we use the functions in_cs, out_cs : 2 — > Tl in order to keep track of the beginning 
and the end of the critical section. These functions are supposed to work together with 
the testing function cs : 2 — > T2 as prescribed by the axioms 

do in_cs(i); cs(i) = do in_cs(i); ret T, 
do out_cs(«); cs(i) = do out_cs(i); ret _L. 
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Now the safety condition for the algorithm can be expressed by the formula 

Vn.{->cs(I) A -cs(2)}exec ra (proc(l,p) || proc(2, g)){-ics(l) V -.cs(2)} 

where 1 and 2 are the canonical coproduct injections inl* and inr*. By Lemma 8, it 
suffices to show that the following formula 

-ics(l) A cs(2) A get_flag(2) V -cs(2) A cs(l) A get _flag(l) V -.cs(l) A -.cs(2) 

is an invariant of proc(l, p) || proc(2, q). As can be shown by definition of parallel com- 
position, this holds iff the same formula is an invariant of both proc(l,p) andproc(2, q), 
which in turn can be shown by coinduction in ME„. 

7 Conclusions and further work 

We have studied asynchronous concurrency in a framework of generic effects. To this 
end, we have combined the theories of computational monads and final coalgebras to 
obtain a framework that generalizes process algebra to encompass processes with side- 
effecting steps. We have presented a sound and complete equational calculus for the 
arising concurrent metalanguage ME V , and we have obtained a syntactic corecursion 
scheme in which corecursive functions are syntactically reducible to a basic loop con- 
struct. Within this calculus, we have given generic definitions for standard imperative 
constructs and a number of standard process operators, most notably parallel composi- 
tion. 

Although the proof principles developed so far are already quite powerful, as was 
shown in an example verification of a generic mutual exclusion scheme following 
Dekker's algorithm, we intend to develop more expressive verification logics for side- 
effecting processes, detached from equational reasoning. Initial results of this kind have 
already been used in the example verification, specifically an encoding of generic Hoare 
triples and an associated proof principle for safety properties. An interesting perspec- 
tive in this direction is to identify a variant of the assume/guarantee principle for side- 
effecting processes (cf. e.g. [7]). A further topic of investigation is to develop weak 
notions of process equivalence in our framework, such as testing equivalence [22]. 

Finally, the decidability status of ME^ remains open. Note that in case of a positive 
answer, all equations between functions defined by corecursion schemes, e.g. process 
algebra identities, become decidable. While experience suggests that even very simple 
calculi that combine loop constructs with monadic effects tend to be undecidable, the 
corecursion axiom as a potential source of trouble seems rather modest, and no evident 
encoding of an undecidable problem appears to be directly applicable. 
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Appendix: Proof details. 



We justify the definition of the injections inj™ : Ai — > A\ + • • • + A n by the recursive 
equations: 

■ I ■ ■ 71 -\— 1 a l ■ ■ 71 ~\- 1 ■ ■ ■ 71 

\nj lP = p, mj™^ p = \n\p, inj^ p = mr inj^p. 

We call a guarded corecursive equation an equation of the form 

out(/(ai)) = do z <— p; case z of inj" x% t-> p±; . . . ; inj™ x„ i-> p„ (**) 

if / does not occur in p and none of the pt contains / unless pt = cont f(xi) (which is, 
of course, well-typed only in case Ai = A). The fact that the right-hand side is prefixed 
with the binding z p plays an important role for the expressiveness of the scheme; a 
comparatively trivial point in this respect is that this allows substituting the arguments 
Xi in cont f(xi) by arbitrary terms. 

Lemma 9 (Corecursion). Given some appropriately typed programs p and the pi such 
that (**) is guarded, there is a unique function f satisfying (**) and this function is 
defined by an effectively computable metalanguage term. 

Proof. The idea is to start from a special case and successively extend generality. 

(i) Suppose that n = 2,p\ = cont f(x) and pi does not contain /. Let A T V B be 
the type profile of / and let us define a function F : A + T V B — > T V B by putting: 
F(z) = (initz := z unfold {H(z)}) where 

H(z) = case z of inl x h-» ( do z ^— p: case z of 

inl x\ i-> cont(inl xi); 
inr X2 i-> ( next ^2 is rest a; M> cont(inr x); 

donex h-> stopx)); 
inrr i-> ( next out(r) is restx i-> cont(inrx); 

donex t-> stopx). 

Let us show that i^inr x) = x. By (corec), 

out(.F(z)) = next H(z) is restx h4 contF(z); done i— ► stopx. (1) 
Note that 

iJ(inrx) = next out(x) is restx cont(inrx); donex n> stopx 
from which we conclude that 

out(.F(inr x)) = next out(x) is restx M> conti^inrx); donex i-> stopx. 
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The latter means that (F o inr) satisfies the same equation as the identity function. 
Hence, by (corec) both these functions must be provably equal, i.e. for every x, 
.F(inrx) = x. Now, (1) can be simplified down to: 

out(F(z)) = case z of inl x i-)- ( next p is rest x\ i->- cont F(inl(xi)); 



By (corec) F is uniquely defined by this equation. It can be verified by routine 
calculations that f(x) = F(\n\ x) is a solution of (**). In order to prove uniqueness, 
let us assume that g is some other solution of (**). Let 



Clearly, g(x) = G(inl x) and it can be shown that G satisfies the equation defining 
F. Therefore g(x) = G(inl x) = F(\n\ x) = f(x) and we are done. 

(ii) Let n > 1, p\ = cont/(xi) and for every i > 1, pi does not contain /. We reduce 
this case to the previous one as follows. Observe that, by assumption, 

out(/(x)) = do z <— p; case z of inl x\ M> cont f(xi); inrz M> q 

where q = (case z of inj"" 1 X2 H- p2\ ■ ■ ■ ; inj"lj x„ i-> p n ). According to (i), / 
is uniquely definable and thus we are done. 

(iii) Let for some index k, pi = cont/(x) for i < k and pi does not contain / for 
i > k. If k = 1 and n > 1 then we arrive precisely at the situation captured by the 
previous clause and hence we are done. If k = n = 1 then (**) takes the form: 



which can be transformed to: 

out(/(x)) = next(do x p; rests) is rests h-> cont/(x); donex h-> stopx 

and hence we are done by (corec). Suppose that k > 1, n > 1 and proceed by 
induction over k. Let 




nr r \-> r. 



G(z) = case z of inl x t->- g(x)\ inrr i-> tuo(r). 



out(/(a:)) = do i <- p; cont/(x), 



r . -tj— 2 ■ ■ 

g = case z or injj^ x 3 i-> p 3 ; ... ; mj 



■n-2 
Jn-2 



X n -2 l-> Pn-2- 



Then we have: 



out(/(x)) = do 2 <— p; case z of inl x\ ^ cont /(xi); 

inrinlx2 ^cont/(x2); 
inrinrz n- g 
= next (do z <— p; case z of inl x\ i— ^contxi; 

inr inl £2 i-> contx2; 
inr inr z stop z) is 
restx H> cont/(x); donex h-> g 



and thus we are done by induction hypothesis. 
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(iv) Finally, we reduce the general claim to the case captured by the previous clause as 
follows. First observe that if neither of the pi contains / then the solution is given 
by the equation: 



f(x) = tuo(do z <— p; case z of inj™ x\ i-> pi; . . . ; injJJ x n i-> p n ). 

In the remaining case there should exist an index k and a permutation a of numbers 
1, . . . , n such that for every i < k, p a u) = rest f(x) and for every i > k, p a (i) 
does not contain /. By a slight abuse of notation we also use a as function A\ + 
. . . + A n — > A^m + . . . + A CT („) rearranging the components of coproducts in the 
obvious fashion. Then 

out(/(x)) = do z <— p; case z of inj" x\ \- > pi; . . . ; inj^ x n h-> p„ 



Proof of Theorem 5. We will need the following slight generalisation of Lemma 9. 

Lemma 10. Let f be a fresh functional symbol, i.e. f ^ S. Given appropriately typed 
programs p, pi, . . . , p n , q\ , . . . , q n such that for every i, pi either does not contain f or 
is of the form cont f(qi), there is a unique function f satisfying (**). 

Proof. W.l.o.g. qi = x whenever pi does not contain /. We can rewrite (**) to 

out(/(x)) = do z 4— q; case z of inl™ x\ i-)- n; . . . ; inl™ x n h-> r n 

where q = (do z p; case z of inj™ x\ h-> ret inj" qi; . . . ;inj"x„ h-> ret inj™ g„), 
rj = cont(/(x)) if p» = cont(/(q.;)) and = p, otherwise. Now we are done by 
Lemma 9. □ 

W.l.o.g. m = . . . = 7)fc: otherwise we replace every pj by 

do z -s— please z of injj* x\ i— > inj x xi; ... ; inj n * x ni i-> mj n . 

where n = max^ rij and complete the case in (5) arbitrary to match the typing. Observe 
that if the result types of fa do not coincide, (5) falls in two mutually independent parts: 
once the result types of fi, fk are distinct, can not appear in the definition of fa and 
vice versa. Therefore, in the remainder we assume w.l.o.g. that /j has type Ai —¥ A. 
Consider the following corecursive definition: 

out(F(y)) = do v <— q: case v of 



do z <— (do z ^— p; ret cr(z)); 

case z of inj™ (1) x a{1) i-> p a(1) ; . . . ; inj; l (n) x (t(ii) h-> p (T(n) 



and thus we are done by (iii). 



□ 



inj^ z i-> (case 2 of inj™ £1 >->• gj; 



i nj^j z (case z of inj™ a?i i-> g^; 
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where 



q = case y of injj x\ i-> (do z ^— ret i nj J z); . . . ; injji Xk <-> (do z <— p^; ret inj£ z) 

and the are defined as follows: q l - = contF(inj m aij) if Pj = cont f m ( x j) ar >d 
Qj = Pj otnerw i se - By Lemma 10, it uniquely defines F. It is easy to calculate that by 
taking fi(x) = F(\nj^(x)) we obtain a solution of (5). Let us show it is also unique. 
Suppose that gi is another solution. Then G defined by the equation 

G{y) = case y of injj x H- gi{x); ... ; inj£ x i-> g fc (:r) 

is easily seen to satisfy the same corecursive scheme as F and thus F = G. Therefore, 
for every i, gi(x) = G(injf x) = F(injf x) = fi(x) and we are done. □ 

Proof of Theorem 4. Soundness. We only establish soundness of the rule (corec) since 
the remainder is more or less standard. Let g = [P, x : A t> q : T(A + £?)J, h — fr,x : 
A\> p : T U B\ and / = T(dist) o t(tti , g). Then the top of (corec) can be rewritten to 

h = Rn 2 oF f . (2) 
Let us show that the bottom of (corec) can be rewritten to 

a [BI o h = T(h + 7r 2 ) o /. (3) 

Indeed, we have: 

a lm oh = [out(p)] 

= [do z <— q; case z of inl x h-» ret inlp; inr i/ 1— > ret inr yj 

= T((/i o (7Ti7Ti x id) + -K2) ° cfist o (id, 1^2)) ° i~(id, (?) 

= T((/i + 7T2) o {ttiHi x id +7Ti7Ti x id) o dist o (id, 712)) o r(id, g) 

= T((/i + 772)0 dist o (ttitti x id) o (id, 772)) o r(id, g) 

= T((h + 712) o disi o (71"! x id)) o r(id, g) 

= T[h + 7T2) o T(dist) o T(wi,g) 

= T(h + Tr 2 )of 

In order to complete the proof, we are left to establish equivalence of (2) and (3). 
The proof of the implication (2) =>■ (3) is as follows: 

a m oh = a m o i?7r 2 o F f 

= T(Rtt 2 + 7r 2 ) o a m * [s] o Ff 

= T(Rn 2 + tt 2 ) o T(F f + id) o T(dist) o r(7ft,ff) 

= T(Rn 2 ° Ff + 7r 2 ) o T(dist) o T{ix\,g) 

= T(h + 7T2) o T(dist) o T(wi,g) 

= T(h + 7T2)of. 
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In order to prove (3), => (2) let us assume (3). Observe that we can equivalently present 
the latter as a lBl oh = T(h + id) o w where w = T(id+7T2) o /. I.e. h satisfies the 
equation, which characterises Ff and thus h = F w - We are left to show that Rir 2 o Ff 
also satisfies this equation. Indeed: 

a [B joi?7r 2 o Ff 

= T(Rtt 2 + tt 2 ) o a [r j x , B] o Ff 

= T{Rn 2 + tt 2 ) o T(F f + id) o T(dist) o r{in,g) 

= T(Rn 2 o Ff + 7r 2 ) o T(dist) o r{-Ki,g) 

= T(Rn 2 o Ff + 7r 2 ) o / 

= T{Rn 2 o F f + id) o T(id +tt 2 ) o / 

= T(Rir 2 o Ff + id) o w. 

We have thus h = F w = Rk 2 o Ff and the proof is completed. 

Completeness. By term model construction. □ 
Proof of Lemma 7. Suppose that {0}p{V>}- Then we have: 

do x <— 0; y <S— p; z <— ip; ret(x, y, z, x => z) 

= do x <r- 0; y <S— filter(0,p, -0); z Vi ret(x, y, z, x z) 
= do a; <— 0; y <!— (do X <— 0; y <— p; z ^; 

if (x' =>■ z') then ret y' else 0); z <— V>; ret(x, y, z, x z) 
= do x -f- 0; x 0; y' p; z <— ?/>; 

if (x' =>■ z') then do y ret y'; z <— -0; ret(x, y, z, x =>■ z) 
else do y 0; z -0; ret(x, y, z, x z) 
= do x <— 0; y «— p; z <— if (x =>• z) then ret(x, y, z, x =>• z) else 
= do x 0; y <S— p; z <— ?/>; if (x z) then ret(x, y, z, T) else 
= do x <— 0; y <S— p; z ?/>; ret(x, y, z, T) 

On the other hand, provided the equation 

do x <— 0; y <— p; z <— ip; ret(x, y, z, x =>■ z) = 
do x ■<— 0; y <— p; z <— ip; ret(x, y, z, T), 

we have: 

filter(0,p,-0) 

= do x <— 0; y ^— p; z if (a; z) then ret y else 

= do (x, y, z, w) (do x <— 0; y ^— p; z ^— -0; ret(x, y, z, x =>• z)); 

if v then rety else 
= do (x, y, z, v) «- (do x <- 0; j/ «- p; z «- -0; ret(x, y, z, T)); 

ifu then rety else 
= do x <— 0; y <— p; z if T then ret y else 
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By definition, this means validity of the Hoare triple {4>}p{i[i}. 



19 



